| Previous | Next |
| STATUS_LOGON_FAILURE | STATUS_INVALID_LOGON_HOURS |
STATUS_ACCOUNT_RESTRICTION
User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges (force returning STATUS_ACCOUNT_RESTRICTION (0xC000006E) for some operations) until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.
UAC
uses Mandatory Integrity Control to isolate running processes with different
privileges. To reduce the possibility of lower-privilege applications communicating
with higher-privilege ones, another new technology, User Interface Privilege Isolation,
is used in conjunction with User
Account Control to isolate these processes from each other. One prominent use of
this is Internet Explorer 7’s “Protected Mode”.
Operating systems on mainframes and on servers have differentiated between superusers and userland for decades. This had an obvious security component, but also an administrative component, in that it prevented users from accidentally changing system settings with an error code.
How to Set Up Limited User Accounts in Windows & STATUS_ACCOUNT_RESTRICTION
To be successful, malware and other security exploits frequently leverage the powers of highly privileged Windows user accounts. It’s not entirely a shock, then, that a new report reveals that 86 percent of all Windows security threats patched in 2015 would have been stopped or rendered toothless if they had attacked users who were using limited, rather than administrator, accounts, and hence lacked the power to install, modify or delete software.
The 2015 Microsoft Vulnerabilities Study by Manchester, England-based enterprise-security provider Avecto, released Tuesday (Feb. 2), showed that 85 percent of remote-code-execution bugs (some of the most dangerous flaws) detailed in Microsoft’s monthly Patch Tuesday reports would be nullified if the Windows active user did not have administrative rights. (The same company reached similar conclusions two years ago.)
Microsoft Office and Windows 10 would also be much safer, as 82 percent of the security flaws would be blocked. Users with limited, a.k.a. “regular” accounts would have been protected from a whopping 99.5 percent of Internet Explorer vulnerabilities on all platforms, and 100 percent of Microsoft Edge security flaws in Windows 10.
We advise all Windows users to operate their PCs primarily from regular/limited accounts, and to sign into administrative accounts only when they need to install, remove or update software. The default account that ships on most Windows computers is an admin account, so you’ll need to create additional, regular accounts. OS X and Linux users would also be wise to use non-administrative accounts for their daily activity, but fewer exploits exist overall on those platforms.